7 minute read 16 Dec 2019
Business man looking out of a window

How organizations should respond to a complex cyberattack

By Andrew Gordon

EY Global Forensic & Integrity Services Leader

Global Forensics Leader focusing on helping organizations build their integrity agenda so they better anticipate and mitigate risk.

7 minute read 16 Dec 2019
Related topics Assurance Forensics Risk

Show resources

  • Who and what is involved in a high impact cyber response (pdf)

    Download 344 KB

EY discussions across the world show the importance of embedding culture and integrity and keeping poor standards of behavior in check.

Companies often state that their intention is to always do the right thing, and yet we have all seen well-publicized instances when they fail to do so in reality. How can this aspiration of organizations worldwide be translated into effective business practices? Is regulatory compliance a drag on a company’s competitiveness or a cost-saver that will boost its long-term prospects?

These were some of the critical questions addressed by top corporate lawyers, forensic accountants, senior compliance executives and regulators as a part of a global six-event series titled “Enhancing corporate integrity,” which the EY teams organized around the world in 2019. Nearly 200 senior executives participated, with legal and compliance functions making up the majority of the attendees, along with a number of regulators, who gathered to discuss fraud and corruption risks that continue to challenge businesses globally.

While looking at the fraud, misconduct and compliance risks companies face today, the attendees discussed the lessons that they have learned over the decades. There was a general consensus that culture is always at the top of their agenda and is considered to be a priority for building effective and long-term compliance programs. Some participants expressed doubts on whether whistle-blower rewards had proven to be effective.

The critical role of technology in compliance programs was universally recognized, while there was a balanced view around the risks created by the adoption of technology when compared with its limitations.

Mitigating conduct risk — enhancing a culture of integrity

In debates about culture, many participants pointed out that most employee frauds are opportunistic and not well-planned, ingenious schemes. Embedding an integrity culture — good governance, honesty, effective controls and data analytics tools — across a business can reduce risks and improve a company’s performance.

There was also a strong consensus that the compliance function needs to shift from just being a narrowly legalistic activity to one that is rooted in ethics and culture. Compliance should be an organization-wide function rather than one that is the exclusive responsibility of the chief compliance officer or the general counsel. It is unrealistic to think that an individual executive or department can single-handedly police all operations throughout an organization.

When it comes to testing and measuring if goals were being achieved, there was a clear gap between ambition and capability within many organizations in how they used technology to detect and prevent fraud and misconduct.

At the event conducted in Sydney, Australia, many examples were given of how companies are implementing profound structural changes that are aimed at becoming more customer-focused, boosting transparency and embracing an integrity culture.

In Hong Kong, one attendee spoke of the need to engage employees through staff-led solutions. This would help organizations change, as workers have a vested interest in the solutions being successful.
In Princeton, New Jersey, where the focus was on the pharmaceutical sector, executives described strategies for spreading accountability throughout their organizations. Some said they used tactics, such as “ride-along” with sales representatives, to understand how the rules about interacting with doctors and patients were put into practice.

In Mumbai, participants pointed out that, along with fostering a strong internal culture of integrity, companies must also look carefully at the values and practices of the third-party agents they engage with, such as suppliers and consultants, whose misconduct could harm their reputation.

Does the reward system work?

At the event held in London, there was widespread disapproval of bounties for whistle-blowers. Others, however, believed that whistle-blowers face huge obstacles, such as potential conflicts with nondisclosure agreements.
In Sydney, attendees debated whether, in the wake of Australia’s Royal Commission inquiry into misconduct in the financial services industry, the proposed regulatory changes, new codes of conduct and remuneration policies would succeed in building an integrity culture and reduce misconduct. There was some skepticism that the new remuneration policies would go far enough in limiting the type of shorter-term financial incentives that encourage fraud and poor behavior.

Technology is one tool that can help, but not single-handedly

Technology was identified as being important in helping companies detect and prevent fraud and misconduct. Artificial intelligence (AI) and innovative digital technologies are creating vast vaults of data that can be analyzed by companies to boost compliance. But this data must be securely managed, or it can pose a serious risk to business integrity.

At the event held in Asia, one attendee discussed using surveillance and big data to identify bad behavior as well as deploying psychographic analysis — “We need to understand our people,” he said plainly.

However, not everyone saw the “Big Brother” approach as the right strategy or only answer and some even expressed concerns around privacy. Privacy inevitably came into sharp focus whenever the conversation turned to technology. Numerous participants asserted that human management was essential to safeguard a proper appraisal of the privacy issues brought about by new technology and to supervise relationships between a company and its staff.

Aside from technology, one regulator asked if the right people, typically lawyers, were being deployed to implement the changes required — “Do we have the right skill sets to support culture change?” she asked. For setting up the right framework, certainly. But when it comes to testing and measuring if the goals were being achieved, there was a gap between ambition and capability within many organizations.

Integrity leads to commercial success

Across the six events held globally, while participants expressed concerns about the serious risks that businesses were facing, the mood was generally uplifting. For most, there was a feeling that things were improving. Enforcing corporate culture, according to many, was becoming a board-level responsibility. Chief executives and directors, now more than ever before, recognize the regulatory, reputational and commercial consequences of getting it wrong.

At the event held in London, one guest speaker went so far as to predict that large-scale corporate corruption would cease to exist in years to come — “Corruption is anti-competitive, increases poverty and matters deeply.” she said.

In Mumbai, participants agreed that India’s business leaders have become far more serious about preventing fraud and corruption in recent years. There was general agreement that strong corporate governance is critical for the country to attract the foreign portfolio investment needed for its economy.

A company that acts with integrity and adheres to sound principles of morality will be better placed to combat illegal and irregular conduct. It will also improve its business performance.
Poor behavior will never be eradicated, but its incidence can be reduced. Companies that embed the “Integrity Agenda” will bridge the gap between corporate intentions and actual behavior and will also reduce conduct risk and reap the commercial rewards.

Summary

Embedding an integrity culture — good governance, honesty, effective controls and data analytics tools — across a business can reduce risks and improve a company’s performance.

About this article

By Andrew Gordon

EY Global Forensic & Integrity Services Leader

Global Forensics Leader focusing on helping organizations build their integrity agenda so they better anticipate and mitigate risk.

Related topics Assurance Forensics Risk